Updated freetype packages that fix one security issue are now available forRed Hat Enterprise Linux 4.

The Red Hat Security Response Team has rated this update as having moderatesecurity impact. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available from the CVE link inthe References section.

FreeType is a free, high-quality, portable font engine that can open andmanage font files. It also loads, hints, and renders individual glyphsefficiently. These packages provide both the FreeType 1 and FreeType 2 fontengines.

A buffer overflow flaw was found in the way the FreeType library handledmalformed font files compressed using UNIX compress. If a user loaded aspecially-crafted compressed font file with an application linked againstFreeType, it could cause the application to crash or, possibly, executearbitrary code with the privileges of the user running the application.(CVE-2011-2895)

Note: This issue only affects the FreeType 2 font engine.

Users are advised to upgrade to these updated packages, which contain abackported patch to correct this issue. The X server must be restarted (logout, then log back in) for this update to take effect.

4. Solution:

Before applying this update, make sure all previously-released erratarelevant to your system have been applied.

The Red Hat Security Response Team has rated this update as having criticalsecurity impact. Common Vulnerability Scoring System (CVSS) base scores,which give detailed severity ratings, are available for each vulnerabilityfrom the CVE links in the References section.

The IBM 1.4.2 SR13-FP10 Java release includes the IBM Java 2 RuntimeEnvironment and the IBM Java 2 Software Development Kit.

This update fixes several vulnerabilities in the IBM Java 2 RuntimeEnvironment and the IBM Java 2 Software Development Kit. Detailedvulnerability descriptions are linked from the IBM "Security alerts" page,listed in the References section. (CVE-2011-0311, CVE-2011-0802,CVE-2011-0814, CVE-2011-0862, CVE-2011-0865, CVE-2011-0867, CVE-2011-0871)

Note: The RHSA-2011:0490 java-1.4.2-ibm update did not, unlike the erratumtext stated, provide a complete fix for the CVE-2011-0311 issue.

All users of java-1.4.2-ibm are advised to upgrade to these updatedpackages, which contain the IBM 1.4.2 SR13-FP10 Java release. All runninginstances of IBM Java must be restarted for this update to take effect.

4. Solution:

Before applying this update, make sure all previously-released erratarelevant to your system have been applied.

Updated dhcp packages that fix two security issues are now available forRed Hat Enterprise Linux 4, 5, and 6.

The Red Hat Security Response Team has rated this update as having moderatesecurity impact. Common Vulnerability Scoring System (CVSS) base scores,which give detailed severity ratings, are available for each vulnerabilityfrom the CVE links in the References section.

The Dynamic Host Configuration Protocol (DHCP) is a protocol that allowsindividual devices on an IP network to get their own network configurationinformation, including an IP address, a subnet mask, and a broadcastaddress.

Two denial of service flaws were found in the way the dhcpd daemon handledcertain incomplete request packets. A remote attacker could use these flawsto crash dhcpd via a specially-crafted request. (CVE-2011-2748,CVE-2011-2749)

Users of DHCP should upgrade to these updated packages, which contain abackported patch to correct these issues. After installing this update, allDHCP servers will be restarted automatically.

4. Solution:

Before applying this update, make sure all previously-released erratarelevant to your system have been applied.